Google researcher discovers new type of Windows security weakness

Microsoft has said it plans to patch a new class of Windows security bug discovered by a Google Project Zero researcher despite finding no conclusive evidence that it poses a threat to users.

The unusual and complicated weakness appears to have been sitting unnoticed in Windows since as far back as XP and will be patched in the next version of Windows 10, currently named 19H1 (aka version 1903).

But if it’s not a clear threat, why patch it at all? For the answer to that, we need to explore the backstory.

According to Project Zero researcher James Forshaw, he first discovered what he assumed was a relatively straightforward kernel-mode drive Elevation of Privileges (EoP) issue in 2016, eventually fixed by Microsoft as CVE-2016-3219.

Following up a year later, however, he realised he’d stumbled upon a larger logic hole that might allow malware running in user mode (which limits privileges) to sneak privileges through the interaction of Microsoft and third-party kernel-mode drivers and the Windows I/O manager subsystem.

However, Forshaw was still unable to create a working proof-of-concept (many aspects of these deeper code interactions are difficult without proprietary knowledge), forcing him to contact Microsoft for help:

This led to meetings with various teams at Bluehat 2017 in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base.

After a lot of work running numerous code interactions through static analysis tools, Microsoft decided:

There appeared to be no combination of initiator and receiver [jargon for API functions] present in currently supported versions of Windows that could be used for local privilege escalation out of the box.

However, because there are numerous third-party drivers that might be exploitable, and because the class of bug found by Forshaw seemed so new and unexpected, Microsoft decided to take a cautious approach and patch the issue anyway.

One possibility was making a full-scale API change, but this was ruled out because it risked breaking existing software.

As well as issuing a fix in the next Windows version due in April, Microsoft plans to update its programming documentation to draw attention to the issue and wants developers to review their code…

…to ensure correct processing of IRP requests and defensive use of the file open APIs.

Peace breaks out

Considering the way that the two companies have bickered in the past over the issue of Google’s strict 90-day disclosure timetable, the praise for Forshaw from Microsoft is unexpectedly warm:

One researcher who consistently reports high-quality, interesting vulnerabilities to us is James Forshaw of Google Project Zero.

Even so, Google’s Forshaw couldn’t resist a tiny dig regarding specific elements of the weakness:

It’s worth noting that while I applied the standard 90-day disclosure deadline to the SMB server report, I didn’t apply an explicit deadline to the bug class report.

High-fives all around, then – for now at least.